From 5b12c89dba2515221131ea527ed1e470a35dde93 Mon Sep 17 00:00:00 2001 From: Mikhail Morfikov Date: Sat, 13 Mar 2021 09:47:36 +0100 Subject: [PATCH] update apparmor profiles --- apparmor.d/abstractions/fontconfig-cache-read | 6 ++ .../abstractions/fontconfig-cache-write | 7 ++ apparmor.d/abstractions/trash | 6 ++ apparmor.d/android-studio | 2 +- apparmor.d/appstreamcli | 2 + apparmor.d/arduino | 2 +- apparmor.d/calibre | 2 +- apparmor.d/cawbird | 2 +- apparmor.d/colord | 2 + apparmor.d/dino-im | 64 ++++++++++++++ apparmor.d/engrampa | 7 +- apparmor.d/f3read | 6 +- apparmor.d/f3write | 2 + apparmor.d/firefox | 2 +- apparmor.d/font-manager | 86 +++++++++++++++++++ apparmor.d/fritzing | 79 +++++++++++++++++ apparmor.d/fusermount | 4 + apparmor.d/geany | 4 +- apparmor.d/gparted | 1 + apparmor.d/gvfs-afc-volume-monitor | 24 ++++++ apparmor.d/gvfs-goa-volume-monitor | 24 ++++++ apparmor.d/gvfs-gphoto2-volume-monitor | 35 ++++++++ apparmor.d/gvfs-mtp-volume-monitor | 27 ++++++ apparmor.d/gvfs-udisks2-volume-monitor | 63 ++++++++++++++ apparmor.d/gvfsd | 72 ++++++++++++++++ apparmor.d/gvfsd-metadata | 30 +++++++ apparmor.d/hardinfo | 2 +- apparmor.d/hypnotix | 30 ++++++- apparmor.d/minitube | 27 +++++- apparmor.d/mount | 5 ++ apparmor.d/mpv | 28 +++++- apparmor.d/quiterss | 2 +- apparmor.d/smtube | 2 +- apparmor.d/spacefm | 3 +- apparmor.d/ssh | 40 +++++++++ apparmor.d/strawberry | 2 +- apparmor.d/strawberry-tagreader | 2 +- apparmor.d/systemd-analyze | 2 +- apparmor.d/tint2 | 2 +- apparmor.d/umount | 2 + apparmor.d/umount.udisks2 | 23 +++++ .../{usr.sbin.tcpdump => usr.bin.tcpdump} | 0 apparmor.d/usr.sbin.apt-cacher-ng | 17 ++-- apparmor.d/virt-manager | 2 +- apparmor.d/vlc | 26 +++++- apparmor.d/xarchiver | 5 ++ apparmor.d/xdg-screensaver | 35 +------- apparmor.d/xfconfd | 4 +- 48 files changed, 755 insertions(+), 67 deletions(-) create mode 100644 apparmor.d/dino-im create mode 100644 apparmor.d/font-manager create mode 100644 apparmor.d/fritzing create mode 100644 apparmor.d/gvfs-afc-volume-monitor create mode 100644 apparmor.d/gvfs-goa-volume-monitor create mode 100644 apparmor.d/gvfs-gphoto2-volume-monitor create mode 100644 apparmor.d/gvfs-mtp-volume-monitor create mode 100644 apparmor.d/gvfs-udisks2-volume-monitor create mode 100644 apparmor.d/gvfsd create mode 100644 apparmor.d/gvfsd-metadata create mode 100644 apparmor.d/ssh create mode 100644 apparmor.d/umount.udisks2 rename apparmor.d/{usr.sbin.tcpdump => usr.bin.tcpdump} (100%) diff --git a/apparmor.d/abstractions/fontconfig-cache-read b/apparmor.d/abstractions/fontconfig-cache-read index 7e57663a9..3cb8b828b 100644 --- a/apparmor.d/abstractions/fontconfig-cache-read +++ b/apparmor.d/abstractions/fontconfig-cache-read @@ -41,3 +41,9 @@ deny /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} w, /usr/share/**/.uuid r, deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w, + + # For Google Fonts downloaded via font-manager + owner "@{HOME}/.local/share/fonts/Google Fonts/.uuid" r, + deny "@{HOME}/.local/share/fonts/Google Fonts/.uuid{,.NEW,.LCK,.TMP-*}" w, + owner "@{HOME}/.local/share/fonts/Google Fonts/**/.uuid" r, + deny "@{HOME}/.local/share/fonts/Google Fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" w, diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write index 7a358ca43..9299dea46 100644 --- a/apparmor.d/abstractions/fontconfig-cache-write +++ b/apparmor.d/abstractions/fontconfig-cache-write @@ -25,3 +25,10 @@ link /usr/local/share/fonts/.uuid.LCK -> /usr/local/share/fonts/.uuid.TMP-*, /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} r, deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w, + + # For Google Fonts downloaded via font-manager (###FIXME### when they fix resolving of vars) + owner "@{HOME}/.local/share/fonts/Google Fonts/.uuid{,.NEW,.LCK,.TMP-*}" rw, + link "@{HOME}/.local/share/fonts/Google Fonts/.uuid.LCK" -> "/home/*/.local/share/fonts/Google Fonts/.uuid.TMP-*", + owner "@{HOME}/.local/share/fonts/Google Fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" rw, + link "@{HOME}/.local/share/fonts/Google Fonts/**/.uuid.LCK" -> "/home/*/.local/share/fonts/Google Fonts/**/.uuid.TMP-*", + diff --git a/apparmor.d/abstractions/trash b/apparmor.d/abstractions/trash index 27b3cbda7..d32cc024c 100644 --- a/apparmor.d/abstractions/trash +++ b/apparmor.d/abstractions/trash @@ -26,6 +26,8 @@ owner @{HOME}/.local/share/Trash/files/{,**} rw, owner @{HOME}/.local/share/Trash/info/ rw, owner @{HOME}/.local/share/Trash/info/*.trashinfo{,.*} rw, + owner @{HOME}/.local/share/Trash/expunged/ rw, + owner @{HOME}/.local/share/Trash/expunged/[0-9]* rw, # Partitions' trash location when the admin creates the .Trash/ folder in the top lvl dir owner /media/*/.Trash/ rw, @@ -35,6 +37,8 @@ owner /media/*/.Trash/[0-9]*/files/{,**} rw, owner /media/*/.Trash/[0-9]*/info/ rw, owner /media/*/.Trash/[0-9]*/info/*.trashinfo{,.*} rw, + owner /media/*/.Trash/[0-9]*/expunged/ rw, + owner /media/*/.Trash/[0-9]*/expunged/[0-9]* rw, # Partitions' trash location when the admin doesn't create the .Trash/ folder in the top lvl dir owner /media/*/.Trash-[0-9]*/ rw, @@ -43,3 +47,5 @@ owner /media/*/.Trash-[0-9]*/files/{,**} rw, owner /media/*/.Trash-[0-9]*/info/ rw, owner /media/*/.Trash-[0-9]*/info/*.trashinfo{,.*} rw, + owner /media/*/.Trash-[0-9]*/expunged/ rw, + owner /media/*/.Trash-[0-9]*/expunged/[0-9]* rw, diff --git a/apparmor.d/android-studio b/apparmor.d/android-studio index b2cb9f292..12d8de187 100644 --- a/apparmor.d/android-studio +++ b/apparmor.d/android-studio @@ -211,7 +211,7 @@ profile android-studio @{exec_path} { @{PROC}/vmstat r, @{PROC}/loadavg r, - @{sys}/fs/cgroup/*/** r, + @{sys}/fs/cgroup/{,**} r, /var/tmp/ r, /tmp/ r, diff --git a/apparmor.d/appstreamcli b/apparmor.d/appstreamcli index 938d61eb1..44ccbed3b 100644 --- a/apparmor.d/appstreamcli +++ b/apparmor.d/appstreamcli @@ -36,6 +36,8 @@ profile appstreamcli @{exec_path} flags=(complain) { owner /var/cache/app-info/{,**} rw, owner /tmp/appstream-cache-*.mdb rw, + owner /tmp/appstream/ rw, + owner /tmp/appstream/appcache-*.mdb rw, owner @{HOME}/.local/share/mime/mime.cache r, /usr/share/mime/mime.cache r, diff --git a/apparmor.d/arduino b/apparmor.d/arduino index 59af97971..558cf11f0 100644 --- a/apparmor.d/arduino +++ b/apparmor.d/arduino @@ -109,7 +109,7 @@ profile arduino @{exec_path} { /etc/avrdude.conf r, - @{sys}/fs/cgroup/** r, + @{sys}/fs/cgroup/{,**} r, @{sys}/class/tty/ r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,manufacturer,serial,product} r, diff --git a/apparmor.d/calibre b/apparmor.d/calibre index 57cb06b19..36e24ecf2 100644 --- a/apparmor.d/calibre +++ b/apparmor.d/calibre @@ -111,7 +111,7 @@ profile calibre @{exec_path} { owner @{HOME}/.cache/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9], owner @{HOME}/.cache/gstreamer-[0-9]*/ rw, - owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw, + owner @{HOME}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, owner /tmp/calibre_*_tmp_*/{,**} rw, owner /tmp/calibre-*/{,**} rw, diff --git a/apparmor.d/cawbird b/apparmor.d/cawbird index e67550031..4802b6bef 100644 --- a/apparmor.d/cawbird +++ b/apparmor.d/cawbird @@ -42,7 +42,7 @@ profile cawbird @{exec_path} { owner @{HOME}/.cache/cawbird-* rw, owner @{HOME}/.cache/gstreamer-[0-9]*/ rw, - owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw, + owner @{HOME}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/colord b/apparmor.d/colord index 4546abee4..ac00f858a 100644 --- a/apparmor.d/colord +++ b/apparmor.d/colord @@ -27,6 +27,8 @@ profile colord @{exec_path} { /usr/libexec/colord-sane rPx, owner /var/lib/colord/** r, + owner /var/lib/colord/.cache/ rw, + owner /var/lib/colord/.cache/** rw, owner /var/lib/colord/{mapping,storage}.db rwk, /etc/udev/hwdb.bin r, diff --git a/apparmor.d/dino-im b/apparmor.d/dino-im new file mode 100644 index 000000000..18ae09971 --- /dev/null +++ b/apparmor.d/dino-im @@ -0,0 +1,64 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}bin/dino-im +profile dino-im @{exec_path} { + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + # Needed for GPG/PGP support + /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/gpgconf rCx -> gpg, + /{usr/,}bin/gpgsm rCx -> gpg, + + include + owner @{run}/user/[0-9]*/dconf/ w, + owner @{run}/user/[0-9]*/dconf/user rw, + + owner @{HOME}/.local/share/dino/ rw, + owner @{HOME}/.local/share/dino/** rwk, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + owner @{PROC}/@{pid}/fd/ r, + + + profile gpg { + include + + /{usr/,}bin/gpg mr, + /{usr/,}bin/gpgconf mr, + /{usr/,}bin/gpgsm mr, + + owner @{HOME}/.gnupg/ rw, + owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + + } + + include if exists +} diff --git a/apparmor.d/engrampa b/apparmor.d/engrampa index 4deba277d..99e37678f 100644 --- a/apparmor.d/engrampa +++ b/apparmor.d/engrampa @@ -23,7 +23,6 @@ profile engrampa @{exec_path} { include include include - include include @{exec_path} mr, @@ -45,12 +44,17 @@ profile engrampa @{exec_path} { /{usr/,}bin/bzip2 rix, /{usr/,}bin/cpio rix, /{usr/,}bin/gzip rix, + /{usr/,}bin/zstd rix, # For deb packages /{usr/,}bin/dpkg-deb rix, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, /{usr/,}bin/xdg-open rCx -> open, + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + owner @{HOME}/.config/engrampa/ rw, / r, @@ -69,6 +73,7 @@ profile engrampa @{exec_path} { owner @{HOME}/.config/mimeapps.list{,.*} rw, owner @{HOME}/.local/share/ r, + owner @{HOME}/.local/share/gvfs-metadata/** r, /usr/share/engrampa/{,**} r, diff --git a/apparmor.d/f3read b/apparmor.d/f3read index 9710073dc..ea7c30fa6 100644 --- a/apparmor.d/f3read +++ b/apparmor.d/f3read @@ -22,10 +22,12 @@ profile f3read @{exec_path} { # USB drive mount locations /media/*/ r, /media/*/*/ r, + /mnt/ r, # To be able to read h2w files - /media/*/[0-9]*.h2w r, - /media/*/*/[0-9]*.h2w r, + owner /media/*/[0-9]*.h2w r, + owner /media/*/*/[0-9]*.h2w r, + owner /mnt/[0-9]*.h2w r, include if exists } diff --git a/apparmor.d/f3write b/apparmor.d/f3write index c7eb9b0d8..17412fea7 100644 --- a/apparmor.d/f3write +++ b/apparmor.d/f3write @@ -26,10 +26,12 @@ profile f3write @{exec_path} { # USB drive mount locations /media/*/ r, /media/*/*/ r, + /mnt/ r, # To be able to write h2w files owner /media/*/[0-9]*.h2w w, owner /media/*/*/[0-9]*.h2w w, + owner /mnt/[0-9]*.h2w w, include if exists } diff --git a/apparmor.d/firefox b/apparmor.d/firefox index 2ccd4e057..0e13c1bef 100644 --- a/apparmor.d/firefox +++ b/apparmor.d/firefox @@ -96,7 +96,7 @@ profile firefox @{exec_path} { owner @{MOZ_CACHEDIR}/** rwk, owner @{HOME}/.cache/gstreamer-[0-9]*/ rw, - owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw, + owner @{HOME}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, deny @{sys}/devices/system/cpu/present r, deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, diff --git a/apparmor.d/font-manager b/apparmor.d/font-manager new file mode 100644 index 000000000..e3121d29a --- /dev/null +++ b/apparmor.d/font-manager @@ -0,0 +1,86 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}bin/font-manager +profile font-manager @{exec_path} { + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} r, + + /{usr/,}lib/@{multiarch}/webkit*gtk-*/WebKitWebProcess rix, + /{usr/,}lib/@{multiarch}/webkit*gtk-*/WebKitNetworkProcess rix, + + /{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner rPUx, + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/font-manager/ rw, + owner @{HOME}/.cache/font-manager/* rwk, + + owner @{HOME}/.cache/gstreamer-[0-9]*/ rw, + owner @{HOME}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, + + owner @{HOME}/.config/font-manager/ rw, + owner @{HOME}/.config/font-manager/* rw, + + owner @{HOME}/.config/fontconfig/ rw, + owner @{HOME}/.config/fontconfig/conf.d/ rw, + owner @{HOME}/.config/fontconfig/conf.d/* rw, + + owner @{HOME}/.local/share/fonts/ rw, + owner "@{HOME}/.local/share/fonts/Google Fonts/" rw, + owner "@{HOME}/.local/share/fonts/Google Fonts/**" rw, + + owner @{HOME}/.local/share/ r, + owner @{HOME}/.local/share/gvfs-metadata/** r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/smaps r, + @{PROC}zoneinfo r, + + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/firmware/acpi/pm_profile r, + @{sys}/devices/system/node/ r, + @{sys}/fs/cgroup/{,**} r, + + /dev/ r, + /dev/dri/ r, + + include + @{run}/user/[0-9]*/dconf/ rw, + @{run}/user/[0-9]*/dconf/user rw, + + # Silencer + owner /var/cache/fontconfig/ w, + deny /var/cache/fontconfig/ w, + + include if exists +} diff --git a/apparmor.d/fritzing b/apparmor.d/fritzing new file mode 100644 index 000000000..321c5bd8b --- /dev/null +++ b/apparmor.d/fritzing @@ -0,0 +1,79 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}bin/fritzing{,.real} +profile fritzing @{exec_path} { + include + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink dgram, + network netlink raw, + + @{exec_path} mrix, + + owner @{HOME}/.config/Fritzing/ rw, + owner @{HOME}/.config/Fritzing/** rwkl -> @{HOME}/.config/Fritzing/**, + + owner @{HOME}/Documents/Fritzing/ rw, + owner @{HOME}/Documents/Fritzing/** rw, + + # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + /usr/share/fritzing/{,**} r, + + /usr/share/hwdata/pnp.ids r, + + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + /etc/debian_version r, + + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/tty/ r, + @{sys}/devices/**/tty*/uevent r, + @{sys}/devices/**/tty/**/uevent r, + + @{run}/udev/data/c5:[0-9]* r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c4:[0-9]* r, # for /dev/tty[0-9]* + @{run}/udev/data/c166:[0-9]* r, # for /dev/ttyACM[0-9]* + + /dev/ttyS[0-9]* rw, + /dev/ttyACM[0-9]* rw, + + owner @{run}/lock/LCK..ttyACM[0-9]* rwk, + + include if exists +} diff --git a/apparmor.d/fusermount b/apparmor.d/fusermount index 6fb3af15f..1efe12faa 100644 --- a/apparmor.d/fusermount +++ b/apparmor.d/fusermount @@ -41,11 +41,15 @@ profile fusermount @{exec_path} { # For MTP mount -> /, + # For GVFS + mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/, + # Be able to unmount the ISO images umount /home/*/*/, umount /home/*/*/*/, umount /home/*/.cache/**/, umount /media/*/, + umount @{run}/user/[0-9]*/**/, # Image files to be mounted owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, diff --git a/apparmor.d/geany b/apparmor.d/geany index 36b1d9e50..ce89e5abd 100644 --- a/apparmor.d/geany +++ b/apparmor.d/geany @@ -29,8 +29,8 @@ profile geany @{exec_path} { deny capability sys_nice, -# network inet stream, -# network inet6 stream, + network inet stream, + network inet6 stream, @{exec_path} mr, diff --git a/apparmor.d/gparted b/apparmor.d/gparted index c47973fa4..a383572cc 100644 --- a/apparmor.d/gparted +++ b/apparmor.d/gparted @@ -30,6 +30,7 @@ profile gparted @{exec_path} { /{usr/,}bin/sed rix, /{usr/,}bin/mkdir rix, /{usr/,}bin/rm rix, + /{usr/,}bin/gawk rix, /{usr/,}lib/udisks2/udisks2-inhibit rix, /usr/libexec/udisks2/udisks2-inhibit rix, diff --git a/apparmor.d/gvfs-afc-volume-monitor b/apparmor.d/gvfs-afc-volume-monitor new file mode 100644 index 000000000..ee66e3feb --- /dev/null +++ b/apparmor.d/gvfs-afc-volume-monitor @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfs-afc-volume-monitor +@{exec_path} += /usr/libexec/gvfs-afc-volume-monitor +profile gvfs-afc-volume-monitor @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/gvfs-goa-volume-monitor b/apparmor.d/gvfs-goa-volume-monitor new file mode 100644 index 000000000..78e664424 --- /dev/null +++ b/apparmor.d/gvfs-goa-volume-monitor @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfs-goa-volume-monitor +@{exec_path} += /usr/libexec/gvfs-goa-volume-monitor +profile gvfs-goa-volume-monitor @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/gvfs-gphoto2-volume-monitor b/apparmor.d/gvfs-gphoto2-volume-monitor new file mode 100644 index 000000000..c33b61a68 --- /dev/null +++ b/apparmor.d/gvfs-gphoto2-volume-monitor @@ -0,0 +1,35 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfs-gphoto2-volume-monitor +@{exec_path} += /usr/libexec/gvfs-gphoto2-volume-monitor +profile gvfs-gphoto2-volume-monitor @{exec_path} { + include + include + include + + network netlink raw, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + @{sys}/class/scsi_generic/ r, + + /etc/fstab r, + + include if exists +} diff --git a/apparmor.d/gvfs-mtp-volume-monitor b/apparmor.d/gvfs-mtp-volume-monitor new file mode 100644 index 000000000..c5b8d0138 --- /dev/null +++ b/apparmor.d/gvfs-mtp-volume-monitor @@ -0,0 +1,27 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfs-mtp-volume-monitor +@{exec_path} += /usr/libexec/gvfs-mtp-volume-monitor +profile gvfs-mtp-volume-monitor @{exec_path} { + include + include + + network netlink raw, + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/gvfs-udisks2-volume-monitor b/apparmor.d/gvfs-udisks2-volume-monitor new file mode 100644 index 000000000..daf6708a3 --- /dev/null +++ b/apparmor.d/gvfs-udisks2-volume-monitor @@ -0,0 +1,63 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfs-udisks2-volume-monitor +@{exec_path} += /usr/libexec/gvfs-udisks2-volume-monitor +profile gvfs-udisks2-volume-monitor @{exec_path} { + include + include + include + include + + network inet stream, + network inet6 stream, + network netlink raw, + + signal (send) set=(term, kill) peer=mount, + + @{exec_path} mr, + + /{usr/,}bin/lsof rix, + + /{usr/,}bin/mount rPx, + /{usr/,}bin/umount rPx, + + include + owner @{run}/user/[0-9]*/dconf/ w, + owner @{run}/user/[0-9]*/dconf/user rw, + + /etc/fstab r, + + # Mount points + /media/*/ r, + /media/*/*/ r, + @{HOME}/*/*/ r, + @{HOME}/*/*/**/ r, + + owner @{HOME}/.local/share/mime/treemagic r, + /usr/share/mime/treemagic r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + + include if exists +} diff --git a/apparmor.d/gvfsd b/apparmor.d/gvfsd new file mode 100644 index 000000000..25725a219 --- /dev/null +++ b/apparmor.d/gvfsd @@ -0,0 +1,72 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd +@{exec_path} += /usr/libexec/gvfsd +profile gvfsd @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + + # Don't strip env here. + /{usr/,}lib/gvfs/gvfsd-* rcx -> backends, + /usr/libexec/gvfsd-* rcx -> backends, + + /usr/share/gvfs/{,**} r, + + owner @{run}/user/[0-9]*/gvfs/ rw, + + owner @{PROC}/@{pid}/fd/ r, + + + profile backends { + include + include + include + include + include + include + include + + mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/, + + /{usr/,}lib/gvfs/gvfsd-* mr, + /usr/libexec/gvfsd-* mr, + + /{usr/,}bin/ssh rPx, + /usr/bin/fusermount{,3} rPx, + + /dev/ptmx rw, + /dev/fuse rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + owner @{run}/samba/ rw, + @{run}/mount/utab r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + + } + + include if exists +} diff --git a/apparmor.d/gvfsd-metadata b/apparmor.d/gvfsd-metadata new file mode 100644 index 000000000..d6f285f8d --- /dev/null +++ b/apparmor.d/gvfsd-metadata @@ -0,0 +1,30 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}lib/gvfs/gvfsd-metadata +@{exec_path} += /usr/libexec/gvfsd-metadata +profile gvfsd-metadata @{exec_path} { + include + include + + network netlink raw, + + @{exec_path} mr, + + owner @{HOME}/.local/share/gvfs-metadata/ rw, + owner @{HOME}/.local/share/gvfs-metadata/** rw, + + include if exists +} diff --git a/apparmor.d/hardinfo b/apparmor.d/hardinfo index ac9222a57..8c216a692 100644 --- a/apparmor.d/hardinfo +++ b/apparmor.d/hardinfo @@ -155,7 +155,7 @@ profile hardinfo @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/coredump_filter rw, - @{sys}/fs/cgroup/** r, + @{sys}/fs/cgroup/{,**} r, owner /tmp/hsperfdata_*/ rw, owner /tmp/hsperfdata_*/@{pid} rw, diff --git a/apparmor.d/hypnotix b/apparmor.d/hypnotix index 4a09583ea..cffdae22f 100644 --- a/apparmor.d/hypnotix +++ b/apparmor.d/hypnotix @@ -52,10 +52,10 @@ profile hypnotix @{exec_path} { /{usr/,}sbin/ldconfig rix, /{usr/,}bin/mkdir rix, - /{usr/,}bin/xdg-screensaver rPx, - /{usr/,}bin/youtube-dl rPx, + /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver, - /{usr/,}lib/firefox/firefox rPUx, + /{usr/,}bin/youtube-dl rPx, + /{usr/,}lib/firefox/firefox rPx, # Which files hypnotix should be able to open / r, @@ -94,5 +94,29 @@ profile hypnotix @{exec_path} { # Silencer /{usr/,}lib/hypnotix/** w, + + profile xdg-screensaver { + include + include + + /{usr/,}bin/xdg-screensaver mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/which rix, + /{usr/,}bin/xset rix, + /{usr/,}bin/xautolock rix, + /{usr/,}bin/dbus-send rix, + + owner @{HOME}/.Xauthority r, + + # file_inherit + /dev/dri/card[0-9]* rw, + network inet stream, + network inet6 stream, + } + include if exists } diff --git a/apparmor.d/minitube b/apparmor.d/minitube index ff7387b31..f32e06f61 100644 --- a/apparmor.d/minitube +++ b/apparmor.d/minitube @@ -97,10 +97,10 @@ profile minitube @{exec_path} { /{usr/,}bin/xdg-open rCx -> open, # Be able to turn off the screensaver while playing movies - /{usr/,}bin/xdg-screensaver rPUx, + /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + /{usr/,}lib/firefox/firefox rPx, # file_inherit owner /dev/tty[0-9]* rw, @@ -129,5 +129,28 @@ profile minitube @{exec_path} { } + profile xdg-screensaver { + include + include + + /{usr/,}bin/xdg-screensaver mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/which rix, + /{usr/,}bin/xset rix, + /{usr/,}bin/xautolock rix, + /{usr/,}bin/dbus-send rix, + + owner @{HOME}/.Xauthority r, + + # file_inherit + /dev/dri/card[0-9]* rw, + network inet stream, + network inet6 stream, + } + include if exists } diff --git a/apparmor.d/mount b/apparmor.d/mount index c968920e6..e714794d7 100644 --- a/apparmor.d/mount +++ b/apparmor.d/mount @@ -30,6 +30,11 @@ profile mount @{exec_path} flags=(complain) { mount, + network inet stream, + network inet6 stream, + + signal (receive) set=(term, kill), + @{exec_path} mr, /{usr/,}bin/ntfs-3g rPx, diff --git a/apparmor.d/mpv b/apparmor.d/mpv index d82c2d133..c244af25e 100644 --- a/apparmor.d/mpv +++ b/apparmor.d/mpv @@ -126,6 +126,8 @@ profile mpv @{exec_path} { ##include /etc/vdpau_wrapper.cfg r, + #/etc/samba/smb.conf r, + # What's this for? (since v0.30.0) @{sys}/bus/ r, @{sys}/class/ r, @@ -144,7 +146,7 @@ profile mpv @{exec_path} { @{run}/udev/data/c116:[0-9]* r, # for ALSA # Be able to turn off the screensaver while playing movies - /{usr/,}bin/xdg-screensaver rPUx, + /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver, # External apps /{usr/,}bin/youtube-dl rPUx, @@ -153,5 +155,29 @@ profile mpv @{exec_path} { owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, + + profile xdg-screensaver { + include + include + + /{usr/,}bin/xdg-screensaver mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/which rix, + /{usr/,}bin/xset rix, + /{usr/,}bin/xautolock rix, + /{usr/,}bin/dbus-send rix, + + owner @{HOME}/.Xauthority r, + + # file_inherit + /dev/dri/card[0-9]* rw, + network inet stream, + network inet6 stream, + } + include if exists } diff --git a/apparmor.d/quiterss b/apparmor.d/quiterss index 5caa2b62f..0a3f9597c 100644 --- a/apparmor.d/quiterss +++ b/apparmor.d/quiterss @@ -61,7 +61,7 @@ profile quiterss @{exec_path} { owner @{HOME}/.cache/QuiteRss/** rwl -> @{HOME}/.cache/QuiteRss/**, owner @{HOME}/.cache/gstreamer-[0-9]*/ rw, - owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw, + owner @{HOME}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, owner @{PROC}/@{pid}/fd/ r, deny @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/smtube b/apparmor.d/smtube index a3696573f..31df6d4e8 100644 --- a/apparmor.d/smtube +++ b/apparmor.d/smtube @@ -62,7 +62,7 @@ profile smtube @{exec_path} { owner @{HOME}/.cache/smtube/* rwk, owner @{HOME}/.cache/gstreamer-[0-9]*/ rw, - owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw, + owner @{HOME}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/spacefm b/apparmor.d/spacefm index 15bbb12fd..29db39dab 100644 --- a/apparmor.d/spacefm +++ b/apparmor.d/spacefm @@ -57,8 +57,7 @@ profile spacefm @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/meminfo r, - @{sys}/fs/cgroup/**/cpu.cfs_quota_us r, - @{sys}/fs/cgroup/**/cpu.cfs_period_us r, + @{sys}/fs/cgroup/{,**} r, # To read/write files in the system. The read permission is granted for all files, the write # permission only for the owner. Also, dirs like /dev/, /efi/, /proc/, /sys/ are not included in diff --git a/apparmor.d/ssh b/apparmor.d/ssh new file mode 100644 index 000000000..ee50d7a2a --- /dev/null +++ b/apparmor.d/ssh @@ -0,0 +1,40 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}bin/ssh +profile ssh @{exec_path} { + include + include + include + include + + network inet stream, + network inet6 stream, + + @{exec_path} mr, + + owner @{PROC}/@{pid}/fd/ r, + + owner @{HOME}/.ssh/ r, + owner @{HOME}/.ssh/config r, + owner @{HOME}/.ssh/known_hosts r, + owner @{HOME}/.ssh/*_rsa{,.pub} r, + owner @{HOME}/.ssh/*_ed25519{,.pub} r, + + /etc/ssh/ssh_config r, + /etc/ssh/ssh_config.d/ r, + + include if exists +} diff --git a/apparmor.d/strawberry b/apparmor.d/strawberry index 7e254ebf1..a7e6ef46d 100644 --- a/apparmor.d/strawberry +++ b/apparmor.d/strawberry @@ -69,7 +69,7 @@ profile strawberry @{exec_path} { owner @{HOME}/.cache/strawberry/** rwl -> @{HOME}/.cache/strawberry/networkcache/prepared/#[0-9]*[0-9], owner @{HOME}/.cache/gstreamer-[0-9]*/ rw, - owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw, + owner @{HOME}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, owner @{HOME}/.cache/xine-lib/ rw, owner @{HOME}/.cache/xine-lib/plugins.cache{,.new} rw, diff --git a/apparmor.d/strawberry-tagreader b/apparmor.d/strawberry-tagreader index 63763ded2..d92b5ee5a 100644 --- a/apparmor.d/strawberry-tagreader +++ b/apparmor.d/strawberry-tagreader @@ -33,7 +33,7 @@ profile strawberry-tagreader @{exec_path} { # file_inherit owner @{HOME}/.xsession-errors w, owner @{HOME}/.anyRemote/anyremote.stdout w, - owner @{HOME}/.cache/gstreamer-*/registry.x86_64.bin.tmp* rw, + owner @{HOME}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, include if exists } diff --git a/apparmor.d/systemd-analyze b/apparmor.d/systemd-analyze index 6366103df..f8e23e58c 100644 --- a/apparmor.d/systemd-analyze +++ b/apparmor.d/systemd-analyze @@ -40,7 +40,7 @@ profile systemd-analyze @{exec_path} { /etc/systemd/** r, /{usr/,}lib/systemd/** r, - @{sys}/fs/cgroup/{systemd,unified}/** r, + @{sys}/fs/cgroup/{,**} r, @{sys}/fs/cgroup/{systemd,unified}/**/cgroup.procs rw, @{sys}/firmware/acpi/tables/FPDT r, diff --git a/apparmor.d/tint2 b/apparmor.d/tint2 index 0716394b8..a35fd1f6a 100644 --- a/apparmor.d/tint2 +++ b/apparmor.d/tint2 @@ -56,7 +56,7 @@ profile tint2 @{exec_path} { @{sys}/class/power_supply/ r, @{sys}/devices/**/power_supply/**/* r, - @{sys}/fs/cgroup/** r, + @{sys}/fs/cgroup/{,**} r, /dev/shm/#[0-9]*[0-9] rw, diff --git a/apparmor.d/umount b/apparmor.d/umount index 14766b88a..22caa74c4 100644 --- a/apparmor.d/umount +++ b/apparmor.d/umount @@ -33,6 +33,8 @@ profile umount @{exec_path} flags=(complain) { @{exec_path} mr, + /{usr/,}sbin/umount.udisks2 rPx, + # Mount points /media/*/ r, /media/*/*/ r, diff --git a/apparmor.d/umount.udisks2 b/apparmor.d/umount.udisks2 new file mode 100644 index 000000000..96c8a8ffe --- /dev/null +++ b/apparmor.d/umount.udisks2 @@ -0,0 +1,23 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}sbin/umount.udisks2 +profile umount.udisks2 @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/usr.sbin.tcpdump b/apparmor.d/usr.bin.tcpdump similarity index 100% rename from apparmor.d/usr.sbin.tcpdump rename to apparmor.d/usr.bin.tcpdump diff --git a/apparmor.d/usr.sbin.apt-cacher-ng b/apparmor.d/usr.sbin.apt-cacher-ng index 571f58be5..c75ecc56a 100644 --- a/apparmor.d/usr.sbin.apt-cacher-ng +++ b/apparmor.d/usr.sbin.apt-cacher-ng @@ -2,13 +2,13 @@ @{APT_CACHER_NG_CACHE_DIR}=/var/cache/apt-cacher-ng -include +#include -profile apt-cacher-ng /usr/sbin/apt-cacher-ng flags=(complain) { - include - include - include - include +profile apt-cacher-ng /usr/sbin/apt-cacher-ng { + #include + #include + #include + #include /etc/apt-cacher-ng/ r, /etc/apt-cacher-ng/** r, @@ -30,6 +30,9 @@ profile apt-cacher-ng /usr/sbin/apt-cacher-ng flags=(complain) { /usr/lib/apt-cacher-ng/acngtool ixr, + # used by libevent + @{PROC}/sys/kernel/random/uuid r, + # Site-specific additions and overrides. See local/README for details. - include + #include } diff --git a/apparmor.d/virt-manager b/apparmor.d/virt-manager index 4c6c65b8f..6d8e27aae 100644 --- a/apparmor.d/virt-manager +++ b/apparmor.d/virt-manager @@ -59,7 +59,7 @@ profile virt-manager @{exec_path} { owner @{HOME}/.cache/virt-manager/** rw, owner @{HOME}/.cache/gstreamer-[0-9]*/ rw, - owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw, + owner @{HOME}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, # For disk images /media/ r, diff --git a/apparmor.d/vlc b/apparmor.d/vlc index 751d9c7c1..4bd534761 100644 --- a/apparmor.d/vlc +++ b/apparmor.d/vlc @@ -141,7 +141,7 @@ profile vlc @{exec_path} { /usr/share/hwdata/pnp.ids r, # Be able to turn off the screensaver while playing movies - /{usr/,}bin/xdg-screensaver rPUx, + /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver, # Silencer deny /{usr/,}lib/@{multiarch}/vlc/{,**} w, @@ -150,5 +150,29 @@ profile vlc @{exec_path} { owner /dev/tty[0-9]* rw, owner @{HOME}/.anyRemote/anyremote.stdout w, + + profile xdg-screensaver { + include + include + + /{usr/,}bin/xdg-screensaver mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/which rix, + /{usr/,}bin/xset rix, + /{usr/,}bin/xautolock rix, + /{usr/,}bin/dbus-send rix, + + owner @{HOME}/.Xauthority r, + + # file_inherit + /dev/dri/card[0-9]* rw, + network inet stream, + network inet6 stream, + } + include if exists } diff --git a/apparmor.d/xarchiver b/apparmor.d/xarchiver index 6b444b3e5..6e5d6bb20 100644 --- a/apparmor.d/xarchiver +++ b/apparmor.d/xarchiver @@ -44,11 +44,16 @@ profile xarchiver @{exec_path} { /{usr/,}bin/bzip2 rix, /{usr/,}bin/cpio rix, /{usr/,}bin/gzip rix, + /{usr/,}bin/zstd rix, # For deb packages /{usr/,}bin/{,@{multiarch}-}ar rix, /{usr/,}bin/xdg-open rCx -> open, + include + owner @{run}/user/[0-9]*/dconf/ rw, + owner @{run}/user/[0-9]*/dconf/user rw, + owner @{HOME}/.config/xarchiver/ rw, owner @{HOME}/.config/xarchiver/xarchiverrc{,.*} rw, diff --git a/apparmor.d/xdg-screensaver b/apparmor.d/xdg-screensaver index db50f6383..1bf03394c 100644 --- a/apparmor.d/xdg-screensaver +++ b/apparmor.d/xdg-screensaver @@ -31,14 +31,14 @@ profile xdg-screensaver @{exec_path} { /{usr/,}bin/cat rix, /{usr/,}bin/uname rix, + /{usr/,}bin/xautolock rix, + /{usr/,}bin/dbus-send rix, + /{usr/,}bin/xprop rPx, /{usr/,}bin/xdg-mime rPx, /{usr/,}bin/xset rPx, /{usr/,}bin/hostname rPx, - /{usr/,}bin/xautolock rCx -> xautolock, - /{usr/,}bin/dbus-send rCx -> dbus, - /dev/dri/card[0-9] rw, owner @{HOME}/ r, @@ -47,34 +47,5 @@ profile xdg-screensaver @{exec_path} { owner @{run}/user/[0-9]*/ r, - # file_inherit - owner @{HOME}/.xsession-errors w, - /dev/dri/card[0-9]* rw, - - - profile xautolock { - include - include - - /{usr/,}bin/xautolock mr, - - # file_inherit - /dev/dri/card[0-9]* rw, - - owner @{HOME}/.Xauthority r, - - } - - profile dbus { - include - include - - /{usr/,}bin/dbus-send mr, - - # file_inherit - /dev/dri/card[0-9]* rw, - - } - include if exists } diff --git a/apparmor.d/xfconfd b/apparmor.d/xfconfd index f78a1b2e5..ea4cd11ba 100644 --- a/apparmor.d/xfconfd +++ b/apparmor.d/xfconfd @@ -20,7 +20,9 @@ profile xfconfd @{exec_path} { @{exec_path} mr, - owner @{HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-notifyd.xml{,.new} rw, + /etc/xdg/xfce4/xfconf/*/*.xml r, + + owner @{HOME}/.config/xfce4/xfconf/*/*.xml{,.new} rw, # file_inherit owner /dev/tty[0-9]* rw,